XOOPS 2.3.2b - Security Release

The security is always on top of the list of XOOPS Developers. Therefore the XOOPS Development Team is pleased to announce the release of XOOPS 2.3.2b, an improved XOOPS 2.3.x release.

This release is solely for a couple of critical fixes, including an XSS vulnerability reported by Digital Sercurity Research Group (or DSRG), potential local file inclusion vulnerability reported by DSRG, autologin bug reported by Dylian, a backward bug in data synchronization reported by boy0917 as well as a bug in xoopsmailer reported by ezsky.

In the 2.3.2b release we have further improved security fixes with help from DSRG.

All XOOPS 2.3.x users are highly recommended to upgrade to this version ASAP.

XOOPS 2.0 and 2.2 versions are not vulnerable to the XSS issues addressed here. However, all 2.0 and 2.2 users who have the Protector module installed are advised to upgrade to the version included in this package for local file inclusion issues.

1. Copy the content of the htdocs/ folder where it can be accessed by your server 2. Ensure mainfile.php and uploads/ are writable by the web server 3. For security considerations, you are encouraged to move directories "/xoops_lib" (for XOOPS libraries) and "/xoops_data" (for XOOPS data) out of document root, or even change the folder names. 4. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable. 5. Access the folder where you installed the htdocs/ files using your web browser to launch the installation wizard

Installing Protector in XOOPS 2.3.2-----------------------------------We also highly recommend the installation of the PROTECTOR module which will bring additional security protection and logging capabilities to your site:

To install Protector module for the first time with a new installation of XOOPS 2.3.2, copy /extras/mainfile.dist.php.protector to /htdocs/mainfile.dist.php BEFORE installing XOOPS.

If you are upgrading an existing XOOPS Website (see below how to do it), and Protector is already installed there, copy /extras/mainfile.dist.php.protector to /upgrade/upd-2.0.18-to-2.3.0/mainfile.dist.php BEFORE upgrading XOOPS.

Upgrading from a previous version-----------------------------------

As always, make sure you have a fresh BACKUP before you upgrade!!!

Upgrading from XOOPS 2.3.x (easy way) 1. Get the update package from the sourceforge file repository 2. Overwrite your existing files with the new ones 3. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your local machine 4. Access /upgrade/ with a browser, and follow the instructions 5. Follow the instructions to update your database 6. Delete the upgrade folder from your server 7. Update the "system" module from the modules administration interface, other modules, especially "profile" are recommended to update as well

Upgrading from XOOPS 2.0.* above 2.0.14 and 2.2.* (using the full package) 1. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your local machine 2. Delete htdocs/mainfile.php, htdocs/install/, htdocs/cache/, htdocs/extras/, htdocs/template_c/, htdocs/themes/ and htdocs/uploads/ from the "htdocs" folder on your LOCAL machine 3. Upload the content of the htdocs folder on your LOCAL machine over your existing files on your server 4. For security considerations, you are encouraged to move directories xoops_lib (for XOOPS libraries) and xoops_data (for XOOPS data) out of document root, or even change the folder names. 5. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable. 6. Ensure the server can write to mainfile.php 7. Access /upgrade/ with a browser, and follow the instructions 8. Follow the instructions to update your database 9. Write-protect mainfile.php again 10. Delete the upgrade folder from your server 11. Update the "system" module from the modules administration interface, other modules are recommended to update as well

Upgrading from any XOOPS ranging from 2.0.7 to 2.0.13.2 (using the full package): 1. Move the "upgrade" folder inside the "htdocs" folder (it's been kept out as it's not needed for full installs) on your LOCAL machine 2. Delete htdocs/mainfile.php, htdocs/install/, htdocs/cache/, htdocs/extras/, htdocs/template_c/, htdocs/themes/ and htdocs/uploads/ from the "htdocs" folder on your LOCAL machine 3. Upload the content of the htdocs folder on your LOCAL machine over your existing files on your server 4. Delete the following folders and files from your server (they belong to an old version): * class/smarty/core * class/smarty/plugins/resource.db.php 5. Ensure the server can write to mainfile.php 6. For security considerations, you are encouraged to move directories xoops_lib (for XOOPS libraries) and xoops_data (for XOOPS data) out of document root, or even change the folder names. 7. Make the directory of xoops_data/ writable; Create and make the directories of xoops_data/caches/, xoops_data/caches/xoops_cache/, xoops_data/caches/smarty_cache/ and xoops_data/caches/smarty_compile/ writable. 8. Access /upgrade/ with a browser, and follow the instructions 9. Write-protect mainfile.php again 10. Delete the upgrade folder from your server 11. Update the "system" module from the modules administration interface, other modules are recommended to update as well

Upgrading a non UTF-8 site:UTF-8 encoding has been introduced into XOOPS 2.3 as default charset. However, there might be some problems with converting existent websites from non UTF-8 charset to UTF-8.Before there is a good enough solution for this conversion, following settings are recommended when you upgrade an existent website if you are not an experienced user: - Select "Do not change" option in "Database character set and collation" step during upgrade process - Modify /languages/yourlanguage/global.php to use existent _CHARSET value if it has been changed to UTF-8 in your new global.php file as

define('_CHARSET', 'UTF-8');

Upgrading XoopsEditor package:In the XOOPS 2.3.2b package, there are five editors included: dhtmltextarea and textarea for plain text, fckeditor, tinymce and koivi for WYSIWYG HTML.Since there are some directory structure changes in both fckeditor and tinymce editors, you are recommended to remove existent editors before uploading the new additors.And if you are using fckeditor for modules, please modify module specific configs following the files in /fckeditor/modules/, especially if you use "article" module.

Debug information display level-----------------------------------

Since XOOPS 2.3.1 debug information display level is enabled as a temporary solution for 2.3* to show debug information to different level of users: to all users, to members or to admins only.The configuration can be set in /xoops_data/configs/xoopsconfig.phpA new debug information renderer is redesigned in XOOPS 3.0

Files integrity check-----------------------------------

The full XOOPS package is released with a script able to check if all the system files have been correctly uploaded to the server. To use it, follow these instructions:

1. Upload the checksum.php and checksum.md5 files located in the XOOPS package root to your XOOPS server folder (putting them next to mainfile.php). 2. Execute checksum.php with your browser 3. If necessary, re-upload the missing or corrupted system files 4. Remove checksum.php and checksum.md5 from your server

Modules-----------------------------------

This release contains only the "system-related modules". You are invited to browse the XOOPS modules repository to if you need additional functionality. Note: as a new repository is being built, the current repository is not up-to-date, PLEASE VISIT INDIVIDUAL DEVELOPERS' WEBSITES TO MAKE SURE YOU ARE USING LATEST VERSION OF MODULES.

In the "update" to a previous version (e.g. 2.3.1 -> 2.3.2b) there is only one file, since it's the only one that changed. So copy it over your previous version's "/ugrade" directory, and then copy the whole thing to your Website. This way you'll have it all.

But I see that this could be confusing, so I'll redo the "Update" files on SourceForge, and provide all files in the /upgrade directory

The practice of using 'a', 'b', 'c', etc... nomenclature should be eliminated in XOOPS releases because there's no easy way to figure out which "version" of 2.3.2 you have without doing individual file compares. If you look at the 2.3.2b upgrade release the ./include/version.php doesn't even have the alpha characters because it's not something XOOPS knows about.

Every time a new release is made (even if it's only to fix a typo) the minor rev should change (e.g. 2.3.2, 2.3.3, 2.3.4, etc). Adding the alpha character "sub-release" is just poor code control practice and is a result from not following standard coding practices. Usually it's caused because a developer doesn't want to go through the "normal" release process - also a bad practice.

Sorry, I'm done ranting... I'll get down off my soap box and go try and patch some of my sites with this version of 2.3.2

Just to say that I've updated 4 sites successfully with this release in the last 12 hours. Many thanks for the work, guys. And agree that an extra decimal (even 2.3.2.3 for example) would be nice to see next time too.

Would it also be possible to make instructions a wee bit clearer in the future? I'm just waiting for all the support posts from people who just replaced their Protector module with the directory in this release rather than opened it up and replace individual files as was intended (same problem as I mentioned earlier with the upgrade folder).

Thanks Mamba. Sorry for the 'rant'. It's something that's bugged me for a while, it was late and I 'reacted' to John's comment. Thanks for taking the suggestion at it's intent and not reacting to the wording. Next time I'll try an voice my suggestions before they become frustrations.

There is mentioning to use the upgrade directory while there is NOT even an upgrade rule visible for the 2.3.2; it tells me there is no upgrade necessary... That might be confusing to people...

Also there is only checksum.md5, I believe there should also be a checksum.php?

And finally I see there a change made in xoops.css, I am using a theme that is based on the MorphoGenesis. I have also the problems mentioned for which the fix is, but what should I change in that CSS to fix it, other than just compare and search for the changes?

After upgrade to version 2.2.3b some images on the main site are rezised to thumbs.. any idea how to set things straight here. Upgrading went perfect but i cant seem to find an answer to this question. TIA Ritchie.

I copied all the folders as instructed and when I go the upgrade folder as specified I get this message error can someone help?"Error: Smarty error: the $compile_dir 'XOOPS_VAR_PATH/caches/smarty_compile' does not exist, or is not a directory."

So, what I did was rename xoops_data and xoops_lib by adding .htaccess to each but I left them in place in the root and ran my install pointing to the new names in the setup procedure. Is this move adequate for security considerations?